Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to index email values without special characters?

andresito123
Communicator
‎06-14-2016 12:41 PM

Hello to the community!

I have an email field with values following this pattern: <example@example.com>

Is there any way to remove the special characters < and > and index the value as example@example.com?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Raghav2384
Motivator
‎06-14-2016 12:57 PM

Hello,

Several ways to do it. Please check this accepted answer

https://answers.splunk.com/answers/172300/how-to-extract-the-email-address-from-the-my-logs.html

Also, you could achieve something similar with SEDCMD. PLease see the props.conf

http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

  • Syntax:
    • replace - s/regex/replacement/flags
      • regex is a perl regular expression (optionally containing capturing groups).
      • replacement is a string to replace the regex match. Use \n for back references, where "n" is a single digit.
      • flags can be either: g to replace all matches, or a number to replace a specified match.
    • substitute - y/string1/string2/
      • substitutes the string1[i] with string2[i]

simple example: SEDCMD-hash = "s/this/that/g"

Make sure it doesn't conflict with other <> in the same log.

Hope this helps!

Thanks,
Raghav

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-14-2016 01:01 PM

Like this:

... | rex field=MyEmailFieldName mode=sed "s/[<>]//g"
Reply
Solved! Jump to solution

andresito123
Communicator
‎06-14-2016 01:53 PM

This works, but I want it to have in indexing time. I don't want the special characters to show up and need to map it on CIM so as Enterprise Security will correlate this info as an email without < and >.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-14-2016 02:01 PM

Then use SEDCMD (with the same sed string without the quotes)"

http://docs.splunk.com/Documentation/Splunk/6.0.3/Data/Anonymizedatausingconfigurationfiles

0 Karma
Reply
Solved! Jump to solution
Solution

Raghav2384
Motivator
‎06-14-2016 12:57 PM

Hello,

Several ways to do it. Please check this accepted answer

https://answers.splunk.com/answers/172300/how-to-extract-the-email-address-from-the-my-logs.html

Also, you could achieve something similar with SEDCMD. PLease see the props.conf

http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

  • Syntax:
    • replace - s/regex/replacement/flags
      • regex is a perl regular expression (optionally containing capturing groups).
      • replacement is a string to replace the regex match. Use \n for back references, where "n" is a single digit.
      • flags can be either: g to replace all matches, or a number to replace a specified match.
    • substitute - y/string1/string2/
      • substitutes the string1[i] with string2[i]

simple example: SEDCMD-hash = "s/this/that/g"

Make sure it doesn't conflict with other <> in the same log.

Hope this helps!

Thanks,
Raghav

0 Karma
Reply
Solved! Jump to solution

andresito123
Communicator
‎06-14-2016 01:52 PM

I have put in my /opt/splunk/etc/system/local/props.conf the following:

[mysourcetype]
SEDCMD-stripEmail = "s/[<>]//g"

But it seems that the emails are indexed as: <example@example.com>.

Any ideas?

0 Karma
Reply
Solved! Jump to solution

Raghav2384
Motivator
‎06-14-2016 02:06 PM

Try without quotes

[mysourcetype]
SEDCMD-stripemail=s/[<>]//g as @woodcock stated

Hope this helps!

Thanks,
Raghav

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎06-14-2016 12:52 PM

Hi @andresito123

I think the pattern you were trying to show didn't render properly. I would edit your question and re-paste your sample pattern, but be sure to use the text editing tools. Highlight your code, then click on the "Code Sample" button for it to display.

0 Karma
Reply
Solved! Jump to solution

andresito123
Communicator
‎06-14-2016 01:51 PM

Fixed with an edit!

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...